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A Method for the Application of Implicit Signature Schemes 

This invention relates generally to cryptographic schemes, and more specially to 
implicit signature schemes. 

Background of the invention 

Diffie-Hellman key agreement provided the first practical solution to the key 
distribution problem, in cryptographic systems. The key agreement protocol allows two 
parties never having met in advance or sharing key material to e^tabli&h a shared secret 
by exchanging messages over an open (unsecured) channel. The security rests on the 
intractability of computing discrete logarithms or in factoring large integers. 

With the advent of the Internet and such like, the requirement for large-scale 
distribution of public keys and public key certificates is becoming increasingly important 
to enable systems like DifQe-Hellman key agreement 

A number of vehicles are known by which public keys may be stored, distributed 
or forwarded over unsecured media without danger of undetectable manipulation. These 
vehicles include public-key certificates, identity-based systems, and implicit certificates. 
The objective of each vehicle is to make one party's public key available to others such 
that its authenticity and vaUdity are verifiable. 

A public-key certificate is a data structure consisting of a data part and a signature 
part. The data part contains cieartext data including as a minimumj a public key and a 
string identifying the party to be associated therewith. The signature part consists of the 
digital signature of a certification authority (CA) over the data part, effectively the 
encryption of the data with the CA's private key so it may be recovered with his public 
key, thereby bmding the entities identity to the specified public key. The CA is a trusted 
third party whose signature on the certificate vouches for the authenticity of the public 
key bound to the subject entity. 

Identity-based systems (E>-based system) resemble ordinary public-key systems, 
involving a private transformation and a public transformations but parties do not have 
explicit pubUc keys as before* Instead, the pubKc key is effectively replaced by a party's 
publicly available identity biformation (e.g. name or network address)* A^y publicly 
available information, which uniquely identifies the party and can be undeniably 
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associated with the party, may serve as identity information. Here a trusted CA is 
required to fiimish each party with the private key corresponding to their public key. 

An alternate approach to distributing public keys involves implicitly certified 
public keys. Here explicit user public keys exist, but tiiey are to be reconstructed by the 
recipient rather than transported by explicitly signed public-key certificates as in 
certificate based systems. Thus implicitly certified public keys may be used as an 
alternative means for distributing public keys (e.g. Diffie-Helhnan keys), 

With a conventional certificate, the authenticity of the inforaiatlon must be 
verified to ensure that the sender and the sender*s public key are bound to one another. 
With an implicit certification it is simply necessary to verify the sender's signature of the 
message using the implicit certificate. The primary advantage of implicit certificates is 
the computationally expense exphcit certificate verification is not required as it is in 
certification schemes. Further, unconditionally trusted CAs are not required as they are 
in ID-based schemes. 

An example of an implicitly certified public key mechanism is known as 
Gunther's implicitly-certified public key method* In this method: 

1 . A trusted server T selects an appropriate fixed public prime p and 
generator a of Z V T selects a random integer t, with 1 £ t £ p-2 and 
gcd(t,p-l) = I, as its private key, and publishes its public key u = a* mod 
p, along with a, p. 

2. T assigns to each party A a unique name or identifying string Ia and a 
random integer kA with gcd(kA»p-l) = L T then computes Pa'^cI^ mod 
p. Pa is A's key reconstruction public data, allowing other parties to 
compute (Pa/ below, 

3. Using a suitable hash fimction h, T solves the following equation for a: 

H(lA) = tPA+kAa(modp-l) 

4. T securely transmits to A the pair (r,s) = (PA,a), which is T's ElGamal 
signature on Ia- (a is A's private key for a Diffie-Helhnan key-agreement) 
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5. Any other party can then reconstruct A's Diffle-Helhnan public key 

entirely from publicly available information {ct, Ia, u, Pa,p) by computing: 

Thus signing an implicit certificate needs one exponentiation operation, but 
reconstructing the ID-based implicitly-verifiable public key needs two exponentiations. 
It is known that exponentiation in the group Z* and its analog scalar 

multiplication of a point in E(Fq) is computationally intensive. An RSA scheme is 
extremely $low requiring successive squaring and multiplication operations. Elliptic 
curve (EC) cryptosystems are not only more robust but also more efficient by using 
doubling and adding operations. However, despite the resounding efficiency of EC 
systems over RSA type systems the computational requirement is still a problem 
particularly for computing devices having limited computing power such as "smart 
cards*', pagers and sucli like. 

Significant improvements have been made in the efi&cacy of certification 
protocols by adopting the protocols set out in Canadian patent application 2,232,936, In 
this aixangement, an implicitly-certified public key is provided by cooperation between a 
certifying authority, OA, and a correspondent A, 

For each correspondent A, the OA selects a unique identity Ia distinguishing the 
entityA. The OA generates public data Yh fot reconstruction of a public key of 
correspondent A by mathematically combining a private key of the trusted party CA and 
a generator created by the C A with a private value of the correspondent A. The values 
are combined in a mathematically secure way such that the pair (IajYa) serves as 
correspondent A's implicit certificate. The CA combines the implicit certificate 
information (Ia,Ya) in accordance with a mathematical fimction F(yAjlA) to derive an 
entity information/ A private key a of the correspondent A is generated fi:om/and the 
private value of the correspondent A, The correspondent A's public key may be 
reconstructed from the public infotrnation, the generator ya and the identity Ia relatively 
efficiently* 
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Certificates, implicit certificates, and ID-based systems provide assurance of the 
authenticity of public keys. However, it is firequently necessary to verify the status of the 
public key to ensure it has not been revoked by the CA. 

Several solutions are known to this revocation problemj the most common bein 
the use of certificate revocation lists (CRLs). Each CA maintains a CRL which contains 
the serial number of revoked certificates and is signed by the CA using its private key. 
When a recipient receives a message that has been secured with a certificate, the recipient 
will recover the serial numbftr, and cher.k the CRT.. 

Typically, therefore, the correspondent A will sign a message m with a private 
key, a, and forward it together with a certificate fi:om the CA that binds the sender A and 
the public key ^xP. The recipient B checks the certificate and verifies the signature on the 
message The correspondent B will then ask the CA whether the certificate is valid 
aad receives a message signed by the CA confinning the status of the certificate at a 
particular time. The correspondent B will then verify the signature on the CA's message 
and proceed accordingly to accept or reject the message sent by correspondent A, 

During this process it is necessary for correspondent A to perform one signature, 
for the CA to perform one signature, and for the recipient B to verify three signatures. 

CAs may also issue authorization or attributable certificates in addition to public- 
key certificates. In this case the certificate issued by the CA to the correspondent A has a 
certain expiry or has details such as a credit limit or access rights to certain programs. 

However with each arrangement, verification of the certificates is necessary as the 
information contained in the certificate may change periodically, even within the life of 
the certificate. 

Furthermore, a correspondent may wish to be recertified* This is particularly true 
if the correspondent has reason to believe that its implicit public key has been 
compromised* However, recertification is a costly process that requires the 
correspondent to regenerate its private key, securely communicate its private key with the 
CA, and regenerate the data for constmcting and reconstructing the implicit public key. 

Accordingly, there is a need for a technique that simpUfies the verification and 
recertification of certificates issued by a certifying authority and it is an object of the 
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present invention to provide a technique that obviates or niitigates the above 
disadvantages. 

Summary of the Invention 

In accordance with an embodiment of the present mvention there is provided a 
method of verifying a transaction over a data communication system between a first and 
second correspondent through tiie use of a certifying authority. The certifymg authority 
has control of a ceitificatc*s validity, which is used by at least the first correspondent. 
The method comprises the following stqjs. One of the first and second correspondents 
advising the certifying authority that the certificate is to be validated. The certifying 
authority verifies the validity of the certificate attributed to the first correspondent. The 
certifying authority generates implicit signature components mcluding specific 
authorization information. At least one of the implicit signature components is 
forwarded to the first correspondent for permitting the first correspondent to generate an 
ephemeral private key. At least one of the implicit signature components is forwarded to 
the second correspondent for permitting recovery of an ephemeral public key 
corresponding to the ephemeral private key. The first correspondent signs a message 
with the ephemeral private key and forwards the message to the second correspondent. 
The second correspondent attempts to verify the signature using the ephemeral public 
key and proceeds with the transaction upon verification. 

BRIEF Description of the Drawings 

Embodiments of the present invention will now be described by way of example 
only with reference to the accompanying drawings in which 

Figure 1 is a schematic representation of a data communication system; 

Figure 2 is a flow chart illustrating the exchange of information conducted on tiie 
system of figure 1 in a first embodiment; 

Figure 3 is a flow chart illustrating the exchange of information conducted on the 
system of figure 1 in a second embodiment; 

Figure 4 is a flow chart showing a tiiird embodimait of the system of Figure 1; 

Figure 5 is a flow chart showing a fourth embodiment of the system of Figure 1; 
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Figure 6 is a flow chart showing a fifth embodiment of the system of Figure 1 . 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

Referring therefore to figure 1, a data commimication system 10 includes a pair of 
correspondents AjB, respectively identified as 12, 14, uitercoimected by a commuidcation 
link 16. The correspondent B, 14, is also connected by a commimication link 18 to a 
certifying authority, CA, indicated at 20. It will be appreciated that the links 16, 18 are 
typically telephone lines or wireless links allowing ilic parties to route messages to 
intended recipients. 

Each of the correspondents, 12, 14 and certifying authority 20 incorporate 
cryptographic mits 22 that perform pubUc-key cryptographic fimctions under the control 
of cryptographic software that may be embodied on a data cander or programmed in an 
integrated circuit. Such hnplementations are well known and need not be described in 
detail, except to the extent necessary, to appreciate the operation of the exchange of 
messages. For the purpose of this description it is assumed that each of the units 22 
hnplement an elliptic curve public-key cryptosystem (ECC) operating in a field defined 
over F(q) but it will be appreciated that other implementations, such as those using 
Zp* , the multiplicative group of integers modulo a prime may be used. 

The parameters for the ECC are an underlying cubic curve and a defined point P 
on the curve. The correspondent A has an identity, IDa, ^ short term or ephemeral 
private key k and a corresponding public key kP, The C A 20 is advised of the pubhc key 
kP and identity ID a which conveniently remain the same for all correspondence 
originating fi:om the correspondent A. 

To initiate an exchange of a message, for example a transaction record, 
between correspondents A and B, the message is sent by correspondent A to 
correspondent B over the communication channel 16, The message m is sent in the clear 
or in any other manner that may be read by correspondent B. 

The correspondent B advises the certifying authority CA 20 that he has received a 
message from correspondent A and may also include some additional information 
relating to the nature of the transaction, This may be performed on a dedicated channel or 
may be encrypted if the information is considered to be of a sensitive nature. Upon 
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receiving the information from correspondent B, the CA 20 checks the record of 
correspondent A and, if in order, prepares to return to the correspondent B the hnplicit 
certificate components, 24, identified as Si,yi and Aj, 

The component Ai includes the identity of A, i.e- IDa, typically a unique 
distinguishing name or identity, for example a name, address or phone number that is 
stored by the CA 20 and a time stamp, message or similar transaction specific 
infonnation. 

The CA 20 also generates a random integer r and computes a corresponding 
public key rP, The value of yf is then computed from the relationship that yi = kP + rP. 

The value of Si is then computed from the relationship that Si = r - C'H(Ai,yi) 
where c is a long term secret key of the CA 20, and H indicates a secure hash fimction 
suchasSHA 1. 

The CA 20 forwards % y;, and Aj to correspondent B» Since Ai contains 
transaction specific information, the implicit signature components are also transaction 
specific. It is preferable, but net necessary, that the CA signs the signature components 
forwarded to correspondent B. 

Correspondent B, upon receipt of the communication from the CA 20^ forwards 
the certificate component Si to the correspondent A, It is preferable, but not necessary, 
that correspondent B signs the certificate component sent to correspondent A, The 
correspondent A computes a transaction specific private key a^ fix)m the relationship ai ^ 
k-t-Sj. The message m is then signed with the computed private key ai and returned to the 
correspondent B, 

The correspondent B then recovers the value corresponding to the transaction 
specific public key, ajP, from the values of yi and Ai received from the CA 20. The public 
key aiP can be computed from aiP= yrH{Ai,yi)"cP , where oP is the public key of the CA 
20, and checks the signature on the message m. If it verifies then the message is accepted 
and the transaction completed. 

The implementation described above maintains a relatively small size of 
certificate and reduces the work performed by the correspondents A and B. The CA 20 is 
required to perform one implicit signature per transaction and correspondent B only 
requires one implicit signature verification and two signature verifications per 
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transaction. Whereas prior proposals would require the CA 20 to return a message to the 
correspondent B stating that correspondent A has a valid certificate, this is avoided in the 
present embodiment by sending transaction specific implicit certificate components. 

As described above, a common key kP is used for each transaction by 
correspondent A but if preferred a different key kP may be used to inhibit tracing of 
transactions originating at correspondent A. In this case new values of kP arc sent to the 
CA 20 offline with appropriate levels of security. 

An alternative arrangement is shown in figure 3, wherein like numerals with a 
prefix "r* refer to similar components as those of Figure 1, in which the originator of the 
message, correspondent A, communicates directly with the CA 120 who has previously 
been provided with the identity IDa and the public key kP. In this aixangement the 
correspondent A notifies the CA 120 that a certificate is required. The CA 120 generates 
a certificate with components Sj, A as before. The correspondent A then computes the 
transaction specific private key ai = k + Si and uses it to sign the message m. The signed 
message is forwarded together with the expHcit signature components yj and Aj to the 
correspondent B. 

The correspondent B recovers the public key ajP fiiom Aj and ji and checks the 
signature on the message m. The transaction specific information in the component Aj is 
checked to determine if it is as expected. Verification of the transaction specific 
infonnation afl;er it has been recovered is known in the art and depends on the type of 
information being verified. If both the signature and the infonnation are verified then the 
transaction is accepted. 

Alternately, the CA 120 could send Si to correspondent A and yi, Ai to 
correspondent B. Correspondent A can then sign message m using the private key 
dj-a-^ and forward the message and signature to correspondent B. 

The above protocol may also be used to provide implicit attributable certificates 
as shown in figure 4, wherein like numerals with a prefix "2'* refer to similar components 
as those of Figure 1 . Initially the values of IDa and kP are transferred to the CA 220 
from correspondent A. A request is then sent fi-om correspondent A to the CA 220 to 
gain access to a particular application controlled by B. 
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The CA 220 generates a certificate including Aj, yi and Si with Aj mduding the 
IDa and an indication that the correspondent A can use a particular application and sends 
the certificate to A. A value of ai ^ k + Si is generated by the correspondent A and used to 
sign the message m. The signed message is forwarded to correspondent B together with 
yi and Ai who recovers the corresponding public key a^P. The signature is then checked 
and, if it verifies, access is given to the application. If the signature does not verify, the 
request is returned. 

The above implicit attributable certificate is efficient in that it only requires one 
signed certificate and by using different pubhc keys per application is hard to trace to a 
particular user. Moreover, the identity and the specific attributable certificate can be 
incorporated into one certificate rather dian the two normally required. 

Yet an alternate embodiment, similar to that illustrated in figure 3, is shown in 
figure 5. The CA 120 has a private key, c, and a public key, Qc = cP. In order to acquire 
a certificate, correspondent A first generates a random integer, a. Integer a is used to 
compute a value a?, which is sent to the CA 120 along with correspondent A's identity, 
IDa or, alternately, Aj (which may contain IDa). 

Upon receiving a? and IDa fi^om correspondent A, the CA 120 generates a 
random integer ca and uses it to calculate correspondent A's certificate, y^=aP + c^P . 
The CA 120 also calculates = h{y^ || ZD^ 1| cP)c + c^ (mod «), The certificate, yA and 
Sa are sent to correspondent A. Correspondent A's private key then becomes d-a^^-s^, 
and its public key becomes Qa = ^fl*. Coirespondoit A's pubUc key can be derived fixim 
the certificate according to the equation = h(y^ \l ID^ \\ cP)2c • 

Therefore, if correspondent A wants to sign a message, w, to send to 
correspondent B, correspondent A do«5 so using the private key, d. Correspondent A then 
sends the signed message along with the certificate, yA, and identification, IDa. Upon 
receiving the information sent firom correspondent A, correspondent B uses the certificate 
and identification along with the CA's public key, Qc, for deriving correspondent A's 
public key, Qa. The message is accepted if the signature is verified using correspondent 
A's derived public key, Qa. 
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In the present embodiment, it is possible for the CA to efficiently recertify 
correspondent A. The CA generates a random number, and computes c^P, Using 
the original value of aP received from correspondent A, the C A generates a new 
certificate, ^ + ^? and a new 7^ = a(77 II II ^P)^ + i^^^"^) ■ Tl^® 
certificate, y^.mdJ^ 21c sent to correspondent A. Therefore, correspondent A has a 
new private key, = a + ^ ^ , and a new certificate, . Therefore, correspondent A*s 
new public key, , can be derived according to = h(y^ \\ ID^ \\ cF)Qc + 7 a - 

Using such a recertification process can recertify correspondent A without 
requiring correspondent A to change its private key. However, this scheme requires 
sufficient bandwidth to send both and to correspondent A. Furthermore, for each 
correspondent (such as correspondent A), the CA has to perform a point multiplication to 
obtain the new certificate, . 

However, it is possible to make a modification to the recertification process as 
described above such that it is more efficient and requires less bandwidth. In the 
following example illustrated in figure 6, the CA recertifies all correspondents (including 
correspondent A), Also, it is assumed that correspondent A has been previously certified, 
acquired the certificate, yx, from the CA and determined the private key = a -1- Sa. 

The CA certifies the correspondents at the expiration of a certification period. For 
an f certification period, the C A generates a random value ki and computes the value 
Qi = kiP. For each correspondent such as correspondent A, the CA computes 
ri =hi/^ \\ID^ |lcP|lit.Pl|i)andthen s - r,c + + (mod n) . Since the 
certificate does not change^ it is only necessary for the CA to send s^^ to correspondent A, 
The private key for correspondent A becomes - a 4* s^^ and the certificate remains ya- 

The CA makes Qi and / publicly available. 

Therefore, it is possible to reconstruct conrespondent A's public key, d{?, by 
computing and then calculating d^P -r^Qc'^y^+Qr Correspondent A 
communicates with correspondent B similarly to the situation previously described. If 
correspondent A wants to sign a message to send to correspondent correspondent A 
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does so using the private key, di. Correspondent A then sends the signed message along 
with the certificate, Ya, and identification IDa. Upon receiving the infonnation sent from 
correspondent A, correspondent B uses the certificate and identification along with ttie 
CA*s public keys, Qc and Qi, for deriving n. The values n-, Qc, Qi, and Ja are then used 
for deriving correspondent A's public key. The message is accepted if the signature is 
verified using correspondent A*s derived public key. 

Thus it can be seen that correspondent A's certificate does not change. Therefore, 
tlie CA is only required to send Sj and i to correspondent A for recertification, which 
requires essentially half the bandwidth of sending sa and ya as in the previous example. 
Further, although the CA has to calculate Q. = k^P for the ith certification period, the 

calculation is amortized over all the correspondents. That is, the CA only has to do one 
point multiplication for all the correspondents (for the calculation ofQt), The CA also 
has to perform one modular multiplication for each correspondent (while calculating ). 

This results in a more efficient process than previously described wherem the CA has to 
perform one point multiplication and one modular multiplication for each correspondent. 

Since the recertification scheme described above is not a costly operation for the 
CA^ the C A could recertify correspondents more fi-equently than if traditional schemes 
are implemented. Therefore, one application of this recertification scheme is to replace 
revocation lists. Instead of providing a Hst of revoked certificates, the CA recertifies only 
those certificates that are still valid and have not been revoked. 

In an alternate embodiment, the certificates as described in the previous 
embodiments are embedded mto an RSA modulus itself For an RSA encryption 
algorithm, correspondent A is required to provide a public key pair, {«, e), where w is the 
modulus and e is the public exponent The modulus is defined as « = where p and q 
are large prime numbers. The pubUc exponent is selected as 1< ^ < ^ , where 
^ = (p - \){q 1) . It has been shown that a portion of the modulus can be set aside to 
have a predetermined value without increasing the vuhierability of the key. This method 
is described in detail in U.S. serial no, 08/449,357 filed May 24, 1995, which is hereby 
incoiporated by reference. 
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Embedding the certificate into the modulus reduces the bandwidth requirements 
since the certificate is included as part of the modulus instead of in addition to it* This 
implementation is particularly useful for a C A who signs using RSA and certifies using 
ECC. For example, a 204g-bit RSA modulus can easily contain a 160-bit ECC 
certificate* 

Although the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be apparent to those skilled in the art 
without departing fi'om the spirit and scope of the invention as outlined in the claims 
appended hereto. 
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THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE 
PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS: 

1 , A method of verifying a transaction over a data commimication system between a 
first and second correspondent through the use of a certifying authority having 
control of a certificate's vaUdity, said certificate being used by at least said first 
correspondent, said method comprising the steps of: 

a) one of said first and second correspondents advising said certifying 
authority that said tcrtificatc is to be validated; 

b) said certifying authority verifying the validity of said certificate attributed 
to said first correspondent; 

c) said certifying authority generating implicit signature components 
including specific authorization information; 

d) forwarding to said first correspondent at least one of said implicit 
signature components for permitting said first correspondent to generate 
an ephemeral private key; 

e) forwarding to said second correspondent at least one of said implicit 
signature components for pennitdng recovery of an ephemeral public key 
corresponding to said ephemeral private key; 

f) said first correspondent signing a message with said ephemeral private key 
and forwarding said message to said second correspondent and 

g) said second correspondent attempting to verify said signature using said 
ephemeral pubHc key and proceeding with said transaction upon 
verification, 

2, A method as defined in claim 1 , wherein said second correspondent advises said 
certification authority that said certificate is to be validated upon receiving an 
initial message fi^om said first correspondent* 

3, A method as defined in claim 2, wherein said at least one of said implicit 
signature components is forwarded to said second correspondent by said 
certifying authority. 
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4« A method as defined in claim 3, wherein said at least one of said implicit 

signature components is forwarded to said first correspondent by said second 
correspondent. 

5. A method as defined in claim 4, wherein $aid generated implicit signature 
components includes: 

a) Y^, where =^ kP + rP, and where k is a long term private key of said first 
correspondent, r is a random integer generated by said certification 
authority, and P is a point on a curve; and 

b) Si, where Si - r - c-H(Ai,yi), and where c is a long term private key of said 
certifying authority, Ai includes at least one distinguishing feature of said 
first correspondent and said specific authorization information^ and H 
indicates a secure hash fiinction; 

wherein said long term private key of said first correspondent is sent to said 
certifying authority prior to said verification transaction. 

6. A method as defined in claim 5, wherein Ai, yi, and Sf are forwarded to said 
second correspondent and Sj is forwarded to said first correspondent. 

7. A method as defined in claim 5, wherein said distinguishing feature is includes at 
least one of a name of said first correspondent, a telephone number of said first 
correspondent, and an address of said first correspondent. 

8. A method as defined in claim 5, wherein said specific authorization information 
includes at least one of a time of said transaction and a date of said transaction. 

9. A method as defined in claim 6^ wherein said ephemeral private key is generated 
according to ai = k+Si, where a, is said ephemeral private key. 
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1 0, A method as defined in claim 9, wherein said ephemeral public key is recovered 
according to aiP= yrH(Ai,yi)'cP, where ajP is said ephemeral public key and cP is 
said certifying authority's public key. 

11, A method as defined in claim 1 0, wherein said certifying authority verifies the 
validity of $aid certificate attributed to said first correspondent by checking a list 
for detennining if said certificate has been revoked* 

12, A method as defined in claim 10, wh^ein said ephemeral private key is a 
transaction specific private key and said ephemeral public key is a transaction 
specific public key. 

13, A method as defined in claim 2, wherein said first correspondent advises said 
certification authority that said certificate is to be validated* 

14, A method as defined in claim 14, wherein said at least one of said implicit 
signature components is forwarded to said first correspondent by said certifying 
authority. 

15* A method as defined in claim 14, wherein said at least one of said implicit 
signature components is forwarded to said second correspondent by said first 
correspondent 

16. A method as defined in claim 15, wherein said generated implicit signature 
components include: 

a) Yi, where y, = kP + rP^ and where k is a long term private key of said first 
correspondent, r is a random integer generated by said certification 
authority, and Pisa point on a curve; and 

b) Si, where s; =^ r - c^E(Auy{), and where c is a long term private key of said 
certifying authority, Ai includes at least one distinguishing feature of said 
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first correspondent and said specific authorisation information, and H 

indicates a secure hash fiinction; 
wherem said long term private key of said first correspondent is sent to said 
certifying authority prior to said verification transaction. 

17, A method as defined in claim 16, wherein A), 7i, and Si are forwarded to said first 
correspondent, and Ai and y\ are forwarded to said second correspondent. 

1 8. A method as defined in claim 16, wherein said distinguishing feature is includes 
at least one of a name of said first correspondent, a telephone number of said first 
correspondent, and an address of said first correspondent, 

19- A method as defined in claim 16, wherein said specific authorization information 
includes at least one of a time of said transaction and a date of said transaction. 

20. A method as defined in claim 1 7, wherem said ephemeral private key is generated 
according to = k+sj, where aj is said ephemeral private key, 

21 . A method as defined in claim 20, wherein said ephemeral public key is recovered 
according to aiP= yi-H(Ai,yi)-cP, where a,? is said ephemeral puWic key and cP is 
said certifying authority's public key. 

22. A method as defined in claim 2 1 , wherein said certifying authority verifies the 
validity of said certificate attributed to said first correspondent by checking a list 
for detennining if said certificate has been revoked. 

23 . A method as defined in claim 2 1 , wherein said ephemeral private key is a 
transaction specific private key and said ephemeral public key is a transaction 
specific public key. 
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24. A method as defined in claim 1 5, wherem said generated implicit signature 
components include a parameter for indicating a predetermined permission for 
said first correspondent, said second correspondent granting access to said first 
correspondent according to said predetormined permission upon verification of 
said signature* 

25. A method as defined in claim 15, wherein said generated implicit signature 
components include: 

a) Ya, where 7^ = cF + c^P , and where aP is a long term public key of said 
first correspondent, Ca is a random integer generated by said certifying 
authority, and P is a point on a curve; and 

b) sa, where ^ h(y^ \\ A, \\ cP)c + (mod n), and where Ai includes at 
least one distinguishing feature of said first correspondent, where c is a 
long term private key of $aid certifying authority, n is a large prime 
number, and h indicates a secure hash fiinction. 

26. A method as defined in claim 23, wherem Ya and sa are forwarded to said first 
correspondent, and A, and ya are forwarded to said second correspondent by said 
first correspondent. 

27. A method as defined in claim 25, wherein said distinguishing feature is includes 
at least one of a name of said first correspondent, a telephone number of said first 
correspondent, and an address of said first correspondent. 

28. A method as defined in claim 25, wherein said specific authorization information 
includes at least one of a time of said transaction and a date of said transaction. 

29. A method as defined in claim 26, wherein said ephemeral private key is generated 
according to = a + where d is said ephemeral private key. 
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30. A method as defined in claim 29, wherein said ephemeral public key is recovered 
according to = || ^ || Qc)Qc where Qa is said ephemeral public 
key and Qc is said certifying authority's long term public key. 

31. A method as defined in claim 30, wherein said certifying authority recerti fies said 
certificate attributed to said first correspondent by changing said random integer, 

32. A method as defined in claim 30, wherein said ephemeral private key is a 
transaction specific private key and said ephemeral public key is a transaction 
specific public key. 

33. A method as defined in claim 15, wherein said generated implicit signature 
components include; 

a) z, where i is a certification period; 

b) sa* where ^ r-fi + + (mod?*) , n is a large prime number, c is a long 

tenn private key of said certifying authority, Ca and ki are random integers, 
and = hiy^ \\ || cP \\ k^P j| where At includes at least one 
distinguishing feature of said correspondent and said specific authorization 
infomation, P is a point on a curve, and h indicates a secure hash 
fimction; 

wherein =aP + c^P , and where aP is a long term public key of said 
correspondent and ya has previously been determined by said certifying authority 
and forwarded to said correspondent. 

34. A method as defined in claim 33, wherein i and Sa are forwarded to said first 
correspondent, and A\ and Va forwarded to said second correspondent by said 
first correspondent. 
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35 . A method as defined in claim 33, wherein said distinguishing feature is includes 
at least one of a name of said first correspondent, a telephone number of said first 
coirespondent, and an address of said first correspondent, 

36. A method as defined in claim 33, wherein said specific authorization information 
includes at least one of a time of said transaction and a date of said transaction, 

37. A method as definftd in claim 34, wherein said ephemeral private key is generated 
according to = <3 + , where d; is said ephemeral private key. 

38. A method as defined in claim 37, wherein said ephemeral public key is recovered 
according to ^ r^Q^ -^Ta-^ Qi ^ ^^i^re Qa is said ephemeral public key, Qi is 
said certifying authority's certification period pubhc key, and Qc is said 
certifying authority's long temi public key. 

39- A method as defined in claim 38, wherein said certifying authority recertifies said 
certificate attributed to said first correspondent for each certification period, /, by 
changing said random integer, kj, 

40« A method as defined in claim 38, wherein said ephemeral private key and said 
ephemeral public key have a predetermined period of validity. 

41. A method as defined in claim 40, wherein said predetermined period of validity is 
one transaction. 

42. A method as defined in claim 40, wherein said predetermined period of validity is 
a predetermined number of transactions. 

43. A method as defined in clakn 40, wherein said predetermined period of validity is 
a predetermined time period. 
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44. A method for certifying a correspondent through the u$e of a certifying authority 
having control of a certificate's validity, said method comprismg the steps of: 

a) said certifying authority generating a first random number have a value; 

b) generating implicit signature components based on said first random 
number; 

c) publishing a public key of said certifying authority for use in verifying 
said correspondent; 

d) forwarding said implicit signature components from said certifying 
authority to said correspondent; 

wherein said certifying authority recertifies said correspondent's certificate by 
changing said value of said first random number, 

45. A method as defined in claim 44* wherein ca is said first random number 
generated by said certifying authority and said implicit signature components 
include: 

a) YAt where = + c^/* , and where aP is a long term public key of said 
correspondent and P is a point on a curve; and 

b) sa, where h{/j \\ \\ cP)c (mod n) , and where c is a long term 

private key of said certifying authority, n is a large prime number^ Ai is an 
identifier of said correspondent and includes at least one distinguishing 
feature of said correspondents and h indicates a secure hash function; 

46. A method as defmed in claim 45, wherein said correspondent is recertified by 
forwarding said implicit signature components for said first random number 
having said changed value from said certifying authority to said correspondent. 

47. A method as defined in claim 43, wherein said first random integer has said value 
for one certification period, said value being changed for other of said 
certifications periods. 
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48. A method as defined in claim 47, wherein k\ is said firSft random integer generated 
by said certifying authority for an zth certification period and said implicit 
signature components include: 

c) where / is a current certification period; 

d) Sa> where s^^ - r^c + k^+c^ (modn) , n is a large prime number, c is a long 
term private key of said cettifying authority, Ca is a second random 
integer, and r- = h{j^ \\ 4 || cP \\ k^P H i) , where Ai includes at least one 
distinguishing feature of said correspondent, P is a point on a curve, and h 
indicates a secure hash function; 

wherein = + c^P , and where aP is a long term public key of said 
correspondent and Ya has previously been determined by said certifying authority 
and forwarded to said correspondent. 

49. A method as defined in claim 48j wherein said published information further 
includes kiP and i. 

50. A method as defined in claim 49, wherein said correspondent is recertified by 
forwarding said implicit signature components for said first random number 
having said changed value fi-om said certifying authority to said correspondent* 



21 



JUN-09-2000 16=42 



□RANGE AND CHfiRI 



416 601 8454 P. 26/32 



ABSTRACT 

A method of verifying a transaction over a data commimication system between a first 
and second correspondent through the use of a certifying authority. The certifying 
authority has control of a certificate's validity, which is used by at least the first 
cOTtespondent The method comprises the following steps* One ofthe first and second 
correspondents advising the certi^ng authority that the certificate is to be validated. 
The certifying authority verifies the validity ofthe certificate attributed to the first 
correspondent. The certifying authority generates implicit signature components 
including specific authorization infomiation. At least one of the implicit signature 
components is forwarded to the first correspondent for permitting the first correspondent 
to generate an ephemeral private key. At least one of the implicit signature components 
is forwarded to the second correspondent for pemiitting recovery of an ephemeral public 
key corresponding to the ephemeral private key. The first correspondent signs a 
message with the ephemeral private key and forwards the message to the second 
correspondent. The second correspondent attempts to verify the signature using the 
ephemeral public key and proceeds with the transaction upon verification. 
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